I know it's an old subject, but if anyone is in the US, in the Jacksonville, FL area, come to the Jacksonville Linux Users Group tonight. I'm doing a presentation on the security flaws of the WEP protocol, and demonstrate how easy it is to subvert. Details and slides at the link below:

See them all the time. If we're doing a wireless assessment and the client is in a dense area (tall building, office park, etc) we'll find at least half a dozen WEP APs from various other companies that share the facility. Heaven help you if the client's building is downtown near apartments. Not only do you have to bust out the directionals in order to make sure those APs are not inside the client's area, you also need to explain to them why the raw outputs you include in your work papers show AP names like "I [blanked] your sister" and "I have a giraffe [male genitalia]".

My presentation went really well, I got a lot of positive feedback. This was my first presentation, by the way.

pseud0, I'm curious now. Do outside wifi networks affect a pentest at all? I know you would be looking for rogue APs internally, but I'm curious about outside networks. I also got to show off a homemade directional antenna at my presentation, pretty cool stuff.

There are alot of vendor products that use WEP for Scan guns. I have a few of those were I am and it drives me batty. Thankfully if you compromise them you won't get much and you won't get on the main network. But still, c'mon vendors get with it!

3xban wrote:There are alot of vendor products that use WEP for Scan guns. I have a few of those were I am and it drives me batty. Thankfully if you compromise them you won't get much and you won't get on the main network. But still, c'mon vendors get with it!

I was fighting this battle for awhile until we had another problem with our scan guns and I convinced my boss to upgrade the scan guns rather than just replacing them with used ones.

The only really significant problem we run into with the "outside" APs is proving that they are "outside". If you're looking for rogue access points it can get really difficult to figure out what might actually be on the client network and what is actually sitting at the law firm the floor above or the hedge fund the floor below. The secondary risk for finding open access points outside of the client network is that employees might connect to it so that they can visit internet sites that are blocked by the corporate network. They can get infected and then reconnect to the corporate network and cause a breach.

eth3real wrote:What's even worse is wireless security cameras that use WEP.

No those are great ;)

Over at BsidesDE this past weekend there was a talk by InfoSecJanitor that was really cool and scary. Many manufacturers of cars, appliances and electronics are continuing to use WiFi based communications for various services. WiFi light bulbs, tire pressure censors, Refrigerators able to call in parts servicing for you. Freaky stuff!